Control system for a system rendered secure through diversification

ABSTRACT

This control system for a system rendered secure by diversification comprises: a set of processors processing railway commands, arranged in parallel and each capable of receiving different sets of instructions, a component for selecting commands selected from the output data issuing from the processors. 
     The modular applications automatic systems are identical for all sets of instructions and each set of instructions associated with a processor is specific for creating a separate sequencer for the successive activation of modular application automatic systems in a particular sequence.

TECHNICAL FIELD

This application claims the benefit of French Patent Application 0602390 filed Mar. 17, 2006 the entire disclosure of which is herebyincorporated by reference herein.

The invention relates to a control system for a system in particular arailway system which has been rendered secure through diversification,of the type including:

a set of at least two processors processing commands intended for therailway system, arranged in parallel to receive identical input data Eon a corresponding input,

each processor being capable of receiving two different sets ofinstructions through which it can compute and deliver identical outputdata S(P1), S(P2), S(P3) at different outputs in relation to theidentical input data E,

a command selection component provided with at least two inputs, eachinput being connected to a processor output, and a command outputcapable, on the basis of a predetermined criterion, of delivering acommand signal selected from the output data issuing from theprocessors.

The railway system includes a switching system connected to a levelcrossing system and a system giving warning of closure of the crossingbarrier.

BACKGROUND TO THE INVENTION

For safety reasons it is known that a control system for a railwaysystem can be diversified in the form of processing branches havingdifferent computation circuit configurations. On the basis of the sameinput data each processing branch carries out the same applications orapplication algorithms, but using different forms of computation.

In the situation where each branch is functioning correctly, identicalcommands are issued as outputs from each branch.

If there should be a failure in the circuitry of one of the branchesdifferent commands are produced.

In the case where several branches fail simultaneously, differentcommands are also produced because of the lack of breakdown correlationbetween branches having different computation circuit configurations.This conventional arrangement is particularly advantageous when complexalgorithms are used.

One well-known simple implementation of this secure control system, fromthe physical point of view, comprises providing a processor of identicalarchitecture in each branch.

In this well-known implementation each processor runs a different set ofinstructions or object program originating from a different sourceprogram depending upon the language of the different associatedcompiler, each different source program emulating the same applicationdefined by the same inputs, the same outputs and the same applicationalgorithms.

However, this implementation, which is simple from the physical point ofview, remains complex from the software point of view, requiring thedevelopment of many software components in proportion to the number ofdifferent languages or compilers used.

The specific problem arising with such a conventional control systemrendered secure through diversification is the complexity of thedevelopment of the software components using several compilationlanguages.

SUMMARY OF THE INVENTION

An object of the invention is therefore to provide a control systemwhich has been rendered secure through diversification in respect ofwhich development of the software components requires reduced effort.

For this purpose the present invention provides a control system for arailway system which has been rendered secure through diversificationincluding:

a set of at least two processors processing commands intended for therailway system, arranged in parallel to receive identical input data Eon a corresponding input,

each processor being capable of receiving two different sets ofinstructions through which it can calculate and deliver identical outputdata S(P1), S(P2), S(P3) at different outputs in relation to theidentical input data E,

a command selection component provided with at least two inputs, eachinput being connected to the output of a processor, and a command outputcapable, on the basis of a predetermined criterion, of delivering acommand signal selected from the output data originating from theprocessors, wherein:

each set of instructions associated with a processor makes it possibleto run at least two modular application automatic systems, the modularapplication automatic systems being identical for all the sets ofinstructions,

each set of instructions associated with a processor is specific tocreating a subsequent activation sequencer for the modular applicationautomatic systems in an associated sequence,

and in which each sequencer differs from the other sequencers throughits specific associated sequence.

According to particular embodiments the control system rendered securethrough diversification may include one or more of the followingfeatures:

each sequencer specifically activates and sequences the modularapplication automatic systems on the basis of a different cyclicalsequence of running the application automatic systems having the samecycle and a different cycle start or path direction,

each sequencer specifically activates and sequences the modularapplication automatic systems on the basis of a different cyclicalsequence of running the application automatic systems having the samecycle path in the same direction,

each sequencer specifically activates and sequences the modularapplication automatic systems on the basis of a different sequencersequence formed from a succession of partial sequences of modularapplication automatic systems grouped into subgroups subdividing the setof modular application automatic systems in the control system,

the subgroups of automatic systems are the same for all the processors,

each modular application automatic system includes automatic systeminputs and automatic system outputs,

an automatic system input being external when it is capable of receivinga variable item of input data from the control system,

an automatic system output being external when it is capable ofdelivering a variable item of output data from the control system,

an input and an output from a given automatic system or two differentautomatic systems being internal when they are capable of beinginterconnected and exchanging a given internal variable item of data,

the set of variable input and output data of the automatic systems forma state vector for the control system,

and the control system for each processor includes a working memoryincluding:

a register for the start state when running the sequence of automaticsystems including the values for the set of state variables before thesequence of automatic systems is run,

a register for the end state when running the sequence of automaticsystems including the values of the set of the state variables of thestate vector obtained after running the sequence of automatic systems,

for each processor, and while the sequence is being run, the processormay only read from the start state register and only write to the endstate register,

for each processor, the start state register for the sequence may onlybe written to and refreshed by the values for the state variablespresent in the sequence end register once the sequence has been run,

and each processor is able to run the sequence of automatic systemsrepeatedly until the values for the state variables of at least twoassociated state registers are the same,

each processor includes

a program database including a set of processor instructions which canbe loaded into the processor and are capable of running the sequence ofapplication automatic systems in the sequence ordered by the sequencerassociated with the processor,

each program database includes a set of instructions obtained using thesame compiler,

a command selection component is a component reaching a decision on thebasis of a majority vote from the output data originating from all theprocessors, the component being able to compare the output dataoriginating from the respective outputs from each processor and transmitcommon output data on a majority basis in relation to the set ofprocessors on the basis of the predetermined majority criterion, and

the command selection component is a component making decisions on thebasis of unanimity.

The invention also provides a control process rendered secure throughdiversification including stages of:

loading at least two processors with program databases associated withdifferent sets of instructions,

providing identical input data for processors arranged in parallel viarespective inputs,

causing each processor to run the set of different instructionsassociated with it so that it can compute and deliver identical outputdata at respective outputs on the basis of identical input data E, therunning of a set of instructions by a processor including the stages of:

running at least two modular application automatic systems, the modularapplications automatic systems being identical for each set ofinstructions, in a specific sequence which is different from thesequences for the other sets of instructions,

extracting the output data obtained after running the sequence,

delivering output data to the command selection component, and

selecting a command signal selected from the output data originatingfrom the processors, on the basis of a specific criterion.

According to particular embodiments, the secure control process mayinclude one or more of the following features:

validating or correspondingly prohibiting transmission of the commandissuing from the plurality of output data received, on the basis of theselection criterion, and

in the event of prohibition, signalling the existence of a fault in atleast one processor.

BRIEF DESCRIPTION OF THE FIGURES.

The invention will be better understood from a reading of the followingdescription provided purely by way of example and with reference to theappended drawings, in which:

FIG. 1 is a diagrammatical block diagram of a control system renderedsecure through diversification,

FIGS. 2A, 2B, 2C are respectively a block diagram of a first embodimentof the program database illustrated in FIG. 1,

FIGS. 3A, 3B, 3C are respectively an illustration of the sequencesassociated with each of the program databases in FIGS. 2A, 2B, 2C,

FIG. 4A is a diagrammatical view of the respective inputs and outputsassociated with each of the automatic systems illustrated in FIGS. 2A,2B, 2C,

FIGS. 4B and 4C are respectively diagrammatical views of the structureof the state vector data associated with a sequence start state registerand a sequence end state register in any working memory,

FIG. 5 is a flow chart of the control process implemented through thediversification control device in accordance with the first embodimentof the program databases, and

FIGS. 6A, 6B, 6C, 6D, 6E are a sequence of a second embodiment of theprogram databases.

DESCRIPTION OF PREFERRED EMBODIMENTS

Control system 2 rendered secure through diversification illustrated inFIG. 1 includes three computational or processing systems, eachrespectively comprising a first processor 4 or P1, a second processor 6or P2 and a third processor 8 or P3.

Each processor 4, 6, 8 receives the same input data originating from apredetermined railway system 9 through an associated input 10, 12, 14.

Each processor 4, 6, 8 specifically runs a computational program or setof instructions loaded from an associated program database 16, 18, 20 towhich it is connected, respectively.

Each processor 4, 6, 8 can exchange working data with an associatedworking database 22, 24, 26.

Each processor 4, 6, 8 is provided with an associated output 28, 30, 32capable of delivering output data S(P1), S(P2), S(P3) after processing.

Secure control system 2 also includes a command selection component 34in this case comprising three inputs 36, 38, 40. Each input 36, 38, 40can receive the output signal (S(P1), S(P2), S(P3) originating from eachprocessor 4, 6, 8 or (P1, P2, P3).

Command selection component 34 includes an output 42 connected to acommand receiving terminal 44.

The structural content of the first embodiment of each program database16, 18, 20 associated with each processor 4, 6, 8 is illustrated inFIGS. 2A, 2B, 2C respectively.

First program database 16 associated with first processor P1 includes asequence of automatic systems 46, 48, 50, 52 or A, B, C, D ordered inthe order A, B, C, D in a first sequence and a first sequencer 54 orSeq1 controlling the sequencing of the automatic systems in that order.

Second program database 18 associated with second processor P2 includesthe same automatic systems ordered in second different sequence 50, 52,46, 48 or C, D, A, B and a second sequencer 56 or Seq2 controlling thesequencing of the automatic systems in that order.

Third program database 20 associated with third processor P3 includesautomatic systems A, B, C, D ordered in yet a third different sequenceD, C, B, A and a third sequencer 58 or Seq3 controlling the sequencingof the automatic systems in that order.

The automatic systems corresponding to a given application in eachprogram database are identical insofar as they are generated from agiven source code and the same compiler.

All the automatic systems in each database are generated using the samecompiler.

The first, second and third sequences implemented by sequencers Seq1,Seq2 and Seq3 are described in FIGS. 3A, 3B, 3C respectively. Eachsequence 60, 70, 78 formed from a given cycle 62 includes a sequencestart 64, 72, 80, here A in FIG. 3A, C in FIG. 3B, and D in FIG. 3C.This sequence 60, 70, 78 is run in a direction 66, 74, 82, a clockwisedirection 66 in FIG. 3A, a clockwise direction 74 in FIG. 3D and ancounter-clockwise direction 82 in FIG. 3C, respectively. A sequence end68, 76, 84 resulting from the path of each sequence 60, 70, 78 from thestart 64, 72, 80 corresponds to each sequence 60, 70, 78.

FIG. 4A shows the set of automatic systems intended for modularapplications. Here automatic system A simulates a route model, automaticsystem B is used to simulate a level crossing model, automatic system Csimulates an announcement model and automatic system D reproduces aswitching model.

Automatic system A receives two input signals E1, E2 from the railwaysystem on two inputs 86, 88 and provides a first internal signal I1 atoutput 90.

Automatic system B has two inputs 92, 94 receiving first internal signalI1 and first input signal E1 from the railway system respectively.Automatic system B is also provided with two outputs 96, 98 which canproduce a second internal signal 12 and a first external output signalS1.

Automatic system C receives second internal signal I2 and first externalinput signal E1 on two inputs 100, 102 respectively. Automatic system Cdelivers a second external output signal S2 at an output 104.

Automatic system D receives first external input signal E1 and secondexternal input signal E2 on two inputs 106, 108. Automatic system Ddelivers a third external output signal S3 at a single output 110.

Here first external input signal E1 is a current time while secondexternal input signal E2 is an indicator that a railway location markhas been passed. First internal variable I1 here represents an expectedcrossing time at a level crossing and second internal variable I2represents the computed announcement command time.

First external output signal S1 is a command to lower the barriers atthe level crossing, second external output signal S2 is the commandannouncing closure of the level crossing while third external outputsignal S3 is a switching command.

Each working memory 22, 24, 26 associated with a processor (P1, P2, P3)includes a sequence start state register 112 and a sequence end stateregister 113 which are common to the processors (P1, P2, P3) andillustrated in FIGS. 4B and 4C respectively.

Each of the registers illustrated in FIGS. 4B and 4C is represented by acorresponding state vector. The state vector of sequence start register112 in FIG. 4B includes seven memory locations 114, 116, 118, 120, 122,124, 126, and is subdivided into three memory zones, a first zone 114,116 which can place the two external inputs E1, E2 in memory, a secondzone I(Pi), 118, 120 which can place the two internal variables I1(Pi),I2(Pi) in memory and a third zone S(Pi), 122, 124, 126 which can placeexternal output data S1(Pi), S2(Pi) and S3(Pi) in memory.

Sequence end state register 113 includes a structure 130, 132, 134, 136,138, 140, 142 similar to the memory locations 114, 116, 118, 120, 122,124, 126 of sequence start state register 112.

Operation of the control system rendered secure through diversificationis described by the flow chart in FIG. 5, which is implemented byprocessors P1, P2 and P3.

In a first stage 144 the railway system sends the same input data E toeach of processors P1, P2 and P3 in a common way so that they can carryout the corresponding processing 146, 148 and 150. In a first stage 152first processor P1 initialises sequence start state register 112 shownby state vector V1-ds in FIG. 5. Then it runs first automatic system154, here A, then second 156, here B, then third 158, here C, thenfourth 160, here D, according to the first sequence associated withfirst processor P1 and illustrated in FIG. 3A.

At the end of the sequence the output data obtained from each automaticsystem A, B, C, D form state vector V1-fs at 162 associated withsequence end state register 113.

In test stage 164 which follows, the state vector of sequence startstate register V1-ds is compared with sequence end state register V1-fs.

If state vectors V1-ds and V1-fs are not the same, first sequence A, B,C, D is run again, after sequence start record 112 has been previouslyrefreshed with state vector V1-fs in sequence end state register 113. Ifthe state registers have the same state vector V1-ds and V1-fs in teststage 164 the output data are then extracted to stage 170.

Processing 148 by second processor P2 is similar to that for firstprocessor P1 except for the order of the automatic systems. Thus at thestart of processing a task 172 of initialising the sequence start stateregister, here V2-ds, is performed. However, the sequence is rundifferently because it is the second sequence illustrated in FIG. 3Bwhich is followed, namely the sequence C, D, A, B.

A test 176 comparing the state vectors in sequence start records V2-dsand sequence end records V2-fs is also carried out, refreshing 178 thesequence start record in the situation where the test is negative.

When the test is positive output data S(P2) from processing by thesecond processor are extracted at stage 180.

Likewise processing 150 in third processor P3 is similar to theprocessing in first and second processors P1, P2, except for the order.

A stage 182 of initialising sequence start state register 112 is alsoperformed. The sequence of automatic systems run is that of the thirdsequence illustrated in FIG. 3C, namely sequence D, C, B, A.

Likewise output data S(P3) from the automatic systems are provided tothe sequence end state register in stage 184. A similar test 186 iscarried out comparing state vectors V3-ds and V3-fs in sequence startstate register 112 and sequence end state register 113. The sequence isrun repeatedly until the test is positive.

If the test is negative, the sequence end state register refreshes, 188,sequence start register 112. If the test is positive the output dataS(P3) from third processor P3 are extracted, 186, and delivered tocommand selection component 34. Each output from each processor S(P1),S(P2), S(P3) is sent to command selection component 34. In the commandselection stage, 192, the output values from each of the processors arecompared.

If the output values are all the same, output command C is equal to oneof output values S(P1), S(P2), S(P3) validated and transmitted in stage194 to receiving terminal 44 of the railway system control.

If one of these data are different, then in a stage 196 a signal giveswarning of a fault in the control system rendered secure throughdiversification.

As a variant, a sequence formed from the set of automatic systems 198,200, 202, 204, 206, 208, 210, 212, 214, 216 of a second embodiment ofthe program database is described in FIGS. 6A, 6B, 6C, 6D and 6E takentogether.

In FIG. 6A these automatic systems are identified and referred to as P,Q, R, S, T, U, V, W, X, Y, Z.

The set of automatic systems 198, 200, 202, 204, 206, 208, 210, 212,214, 216 is subdivided into three subgroups 218, 220, 222 or SG1, SG2,SG3, a first subgroup 218 or SG1 including automatic systems P, Q, R, asecond subgroup 220 or SG2 including automatic systems S, T, V, W, and athird subgroup, 222 or SG3, including automatic systems X, Y, Z,respectively.

A sequence 224 of subgroups is described in FIG. 6B based on a cycle ofsubgroups 226 formed by the sequence SG1, SG2, SG3, a sequence start228, here SG1, a path direction 230, here clockwise, and a sequence end242 for subgroup 232, here SG3.

A sequence 240 of first subgroup SG1 is described in FIG. 6C. Thesequence of first subgroup 240 is formed from a cycle 236, here P, Q, R,the sequence start 238 of which is here automatic system Q run indirection 240, here clockwise, with end of sequence 242 being automaticsystem P.

A sequence 244 of second subgroup SG2 is described in FIG. 6D based on acycle 246, here S, T, V, W, the start of this sequence 248 being hereautomatic system S, cycle 250 being run in a clockwise direction, andend of sequence 252 being provided by automatic system W.

Finally the sequence of third subgroup SG3 is formed on the basis ofcycle 256, here X, Y, Z, sequence start 258 including automatic systemZ, and cycle 260 being run in a direction 260, here counter-clockwise,sequence end 262 being then determined by automatic system X. Thesequence of automatic systems so obtained is formed by concatenatingpartial sequences 234, 244, 254 according to the sequence of subgroupsSG1, SG2, SG3.

Thus the sequence of automatic systems described by the set of figuresis Q, R, P, S, T, V, W, Z, Y, X.

Thus the different sets of instructions formed by different specificordering of the modular application automatic systems may make itpossible to use different circuit activation sequences in each of theprocessors having identical architecture, a sequence being defined inrelation to the generic architecture of the processors.

Thus the different sets of instructions obtained may satisfy thediversification requirements placed on the control system by railwaysafety constraints.

Furthermore the process of processing these different sets ofinstructions may be simple to implement because only one softwaredevelopment platform can be used.

In fact development of the application modules using a single compilermay be reduced, as the application modules can be advantageously reusedfrom one processing branch to another.

In an alternative embodiment, the control system described here abovemay operate without any substantial modification for aircraft orspacecraft on-board system or else for protection or emergency stoppingsystem used in a nuclear installation.

Alternatively, the control system described hereabove may operate forall systems rendered secured by safety critical software design.

1. A control system for a railway system rendered secure throughdiversification comprising: at least two processors processing commandsfor the railway system, the processors arranged in parallel to receiveidentical input data on a corresponding input, each processor receivinga first and second set of instructions, each processor calculates anddelivers identical output data at different outputs with respect to theidentical input data, the first set of instructions being different thanthe second set of instructions, a command selection component includingat least two inputs and a command output, each input connected to anoutput of a processor, the command output delivering a command signalselected from the processor output data, based on predeterminedcriterion, the first and second set of instructions corresponding toeach processor running at least two modular application automaticsystems, the modular application automatic systems being identical forthe first and second sets of instructions, the first and second sets ofinstructions corresponding to each processor being specific to creatinga subsequent activation sequencer for the modular application automaticsystems in an associated sequence, each sequencer differing from othersequencers by the specific associated sequence.
 2. The control systemrendered secure through diversification as recited in claim 1 whereineach sequencer specifically activates and sequences the modularapplication automatic systems based on a different cyclical sequence ofrunning the application automatic systems having the same cycle and adifferent cycle start or path direction.
 3. The control system renderedsecure through diversification as recited in claim 2 wherein eachsequencer specifically activates and sequences the modular applicationautomatic systems based on a different cyclical sequence of running theapplication automatic systems having the same cycle path in the samedirection.
 4. The control system rendered secure through diversificationas recited in claim 1 wherein each sequencer specifically sequences themodular application automatic systems based on a different sequencersequence formed from a succession of partial sequences of modularapplication automatic systems grouped into subgroups subdividing the setof modular application automatic systems in the control system.
 5. Thecontrol system rendered secure through diversification as recited inclaim 4 wherein the subgroups of automatic systems are the same for theat least two processors.
 6. The control system rendered secure throughdiversification as recited in claim 1 wherein each modular applicationautomatic system includes automatic system inputs and automatic systemoutputs, the automatic system input being external when receiving avariable item of input data from the control system, the automaticsystem output being external when delivering a variable item of outputdata from the control system, an input and an output for a sameautomatic system or two different automatic systems being internal whenthe input and output are being interconnected and exchanging a givenvariable internal item of data, the set of variable input items of dataand output data of the automatic systems forming a state vector for thecontrol system, for each processor the control system including aworking memory, the working memory including a register for the startstate when running the sequence of automatic systems containing thevalues for the set of state variables before the sequence of automaticsystems is run, and a register for the end state when running thesequence of automatic systems containing the values of the set of statevariables for the state vector obtained after running the sequence ofautomatic systems.
 7. The control system rendered secure throughdiversification as recited in claim 6 wherein for each processor andwhile the sequence is being run, each processor only reads from thestart state register and only writes to the end state register.
 8. Thecontrol system rendered secure through diversification as recited inclaim 7 wherein for each processor, the start state register for thesequence can only be written to and refreshed by the values for thestate variables present in the sequence end register once the sequencehas been run and each processor runs the sequence of automatic systemsrepeatedly until the values for the state variables of at least twoassociated state registers are the same.
 9. The control system renderedsecure through diversification as recited in claim 1 wherein eachprocessor includes a program database including a set of processorinstructions loaded into the processor and running the sequence ofapplication automatic systems in the sequence ordered by the sequencerassociated with the processor.
 10. The control system rendered securethrough diversification as recited in claim 9 wherein each programdatabase includes a set of instructions obtained using the samecompiler.
 11. The control system rendered secure through diversificationas recited in claim 1 wherein the command selection component is acomponent reaching a decision on the basis of a majority vote from theoutput data originating from all the processors, the component beingable to compare the output data originating from the respective outputsof each processor and transmit common output data on a majority basis inrelation to the set of processors on the basis of a predeterminedmajority criterion.
 12. The control system rendered secure throughdiversification as recited in claim 11 wherein the command selectioncomponent is a component making decisions based on unanimity.
 13. Thecontrol system rendered secure through diversification as recited inclaim 1 that controls a rendered secure type railway system.
 14. Asecure control process for a system comprising stages comprising:loading at least two processors from program databases associated withdifferent sets of instructions, providing identical input data to theprocessors arranged in parallel via respective inputs, running thedifferent set of instructions associated with each processor, eachprocessor computing and delivering identical output data at therespective outputs based on identical input data, the running of a setof instructions by a processor including the steps of: running at leasttwo modular application automatic systems, the modular applicationautomatic systems being identical for each set of instructions, in aspecific sequence different from the sequences for the other sets ofinstructions, extracting the output data obtained after running thesequence, and delivering the output data to the command selectioncomponent, selecting a command signal selected from the output dataoriginating from the processors, on the basis of a specific criterion.15. The secure control process as recited in claim 14 further comprisingthe steps of: validating or correspondingly prohibiting transmission ofthe command issuing from the plurality of data outputs received, on thebasis of the selection criterion; and signaling the existence of a faultin at least one processor in the event of prohibition.